RSAC: Is Someone Watching Every Time You Touch Your Smartphone?

New research shows how remarkably easy it is to capture and record every tap on your touch screen, and how to use it against you.

Keyloggers are nasty little programs that sit on your PC and diligently record every single keystroke. If you want to steal someone's banking passwords, keyloggers are the perfect tool. Presenting at RSAC 2014, Square's Security Engineering Manager Nathan McCauley and Trustwave's Senior Security Consultant Neal Hindocha, showed that doing the same thing on a touchscreen smartphone isn't difficult at all.

Finding FingersThe best way to intercept touch information on iOS is through "method swizzling." McCauley said this was "like a man-in-the-middle attack for method calls within the operating system." If you know there's a particular method that's going to be called, explained McCauley, you can insert a library that intercepts and logs the event before passing the event along as normal. The practical upshot is that you can grab all kinds of information—even screenshots—without affecting the phone's performance.

Typically, this would require that the iPhone be jailbroken first. However, the presenters acknowledged research from FireEye released earlier in the week that showed this wasn't necessarily the case. Until Apple updates iOS, users could potentially be monitored even if their device isn't jailbroken.

On rooted Android devices it's even easier. Hindocha used the "getevent" tool, which is present on all Android devices, to log the X and Y coordinates of every touch. He could also use getevent to record swiping motions and when hardware buttons were pressed.

For Androids that aren't rooted, which is most of them, you can still use getevent. To do it, the phone needs to have USB debugging enabled and be connected to a computer. Using the Android Debugging Bridge, Hindocha was able to get the elevated rights required to run getevent.

Of course, Android devices aren't in debugging mode by default (and we highly recommend never activating it). Also, physical access to a device great limits the efficacy of this attack. However, Hindocha demonstrated that it is theoretically possible to use a combination of malicious live wallpapers—which require no special permissions to view touch data—and overlay apps to intercept touch information on non-rooted devices.

You've Got The Touch Once they figured out how to get the touch data, the researchers had to figure out what to do with it. At first, they assumed that it would be necessary to capture screenshots in order to map the touch information to something useful. But Hindocha said that wasn't the case. "As we progressed, I realized I could quite easily figure out what was happening just by looking at the dots," he said.

The trick was looking for particular clues to indicate what kind of input was going on. Particular movements of dragging and tapping could be Angry Birds, while four taps and then a fifth on the lower right of the screen is probably a PIN. Hindocha said that they were able to tell when emails or text messages were being written because the area where the backspace key resides was hit repeatedly. "People make a lot of mistakes when they write emails," he explained.

Staying Safe The researchers noted that this was just one method to capture what was typed into a smartphone. Malicious keyboards, for example, could just as easily steal your banking passwords.

iOS users concerned about touchlogging should avoid jailbreaking their devices, though the FireEye research suggests that this is not enough. Fortunately, McCauley said, method swizzling is fairly easy for savvy device managers to detect.

For Android, the issue is a bit more fraught. Again, rooting a device opens you up to attack. Also, enabling debugging mode gives attackers an in to your device. These normally aren't present in stock Android phones, though McCauley presented an important exception. He said that in the course of their research, they discovered that phones shipped from an unnamed manufacturer were configured in such a way that could allow attackers to access getevent.

Though their research has practical applications, it's still largely theoretical. Our taps and swipes are safe, at least for now.

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can follow him on...
More »